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A supervisory controller controls and coordinates the behavior of different components of a com- 
plex machine by observing their discrete behaviour. Supervisory control theory studies automated 
synthesis of controller models, known as supervisors, based on formal models of the machine com- 
ponents and a formalization of the requirements. Subsequently, code generation can be used to 
implement this supervisor in software, on a PLC, or embedded microprocessor. In this article, we 
take a closer look at the control loop that couples the supervisory controller and the machine. We 
model both event-based and state-based observations using process algebra and bisimulation-based 
semantics. The main application area of supervisory control that we consider is coordination, re- 
ferred to as supervisory coordination, and we give an academic and an industrial example, discussing 
the process-theoretic concepts employed. 



1 Introduction 



Control software development becomes an important issue due to the ever-increasing machine com- 
plexity and demands for better quality, performance, safety, and ease of use. Traditionally, the control 
requirements are formulated informally and, thereafter, manually translated into control software, fol- 
lowed by validation and rewriting of the code whenever necessary. The cycles of such a design- validate 
process are both error-prone and time-consuming due to frequent ambiguities in the informal specifica- 
tions. This issue gave rise to supervisory control theory 1221 l9l [T71. where models of the supervisory 
controllers, referred to as supervisors are synthesized automatically based on formal models of the un- 
controlled hardware, referred to as plant, and the model of the control requirements. Based on these 
models, the control software is generated automatically. The supervisory controller observes discrete 
machine behavior and sends back control signals about allowed activities. Assuming that the controller 
reacts sufficiently fast on machine input, this feedback loop, depicted in Figure [T^), was originally mod- 
eled as a pair of synchronizing processes 
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Figure 1: Control loop: a) general, b) with event-based, c) with state -based observations. 

In this paper, we focus on the modeling of the control loop and the required process-theoretic con- 
cepts to capture the underlying behavior. The main motivation for the investigation is the oversimplifi- 
cation of the coupling between the plant and the supervisor in the original proposal of Il22l l9l. which still 
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prevails in modern state-of-the-art approaches, like |[T3l [TT1 |20l |26l [T6l to name a few. Furthermore, we 
consider coordination as the main application area of supervisory control, where the coordinator(s) are 
implemented as supervisory controllers that ensure sequencing of events, or deadlock- and livelock-free 
behavior of the plant, according to the given set of (coordinating) control requirements. 

Supervisory control loop To model different aspects of the plant and the control requirements, the 
discrete events that can occur are split into controllable and uncontrollable events. The former can be 
disabled by the supervisor and typically model actuator activities, e.g., starting or stopping a motor. The 
latter cannot be affected by the supervisor if enabled in the plant and standardly model sensor activities, 
e.g., the temperature has reached a given value. We distinguish two types of prominent supervisory 
control loops relying on event- and state-based observations, depicted in Figure [jj>) and c), respectively. 

The control loop in Figure [TJ)) depicts that the supervisor observes events that occur in the plant and 
sends back as feedback the set of controllable events that are allowed for execution. The most prominent 
operation that captures the coupling between the plant and the supervisor is automata-style synchronous 
parallel composition Il22l l9l. This simple operation restricts the plant by omitting (controllable) events in 
the supervisor, thereby preventing synchronization and disabling the events. It was quickly realized that 
this synchronization produces large supervisors that actually memorize the complete supervised behavior 
as the supervisor keeps track of the state of the plant by keeping a complete history of observed events. 

To mitigate the large size of the supervisor several synchronization operators were proposed that 
enable the plant to independently execute uncontrollable events, provided that this does not preclude the 
supervisor from correctly deducing the state of the plant fiT4l[T3l[T5l[T0l . We note that there are other 
models of the control loop that employ the input/output transition paradigm that require an input (set of 
controllable/actuator events) from the supervisor to produce an output (uncontrollable/sensor event) from 
the plant [6l|7l|25l. Nonetheless, they have been shown to be equivalent to one of the above approaches 
with respect to the underlying notions 0. 

What synchronous parallel composition or communication fails to model is the difference between 
the two flows of information, their role, and the different goals of the plant and the supervisor. To this end, 
we propose a send/receive communication to model the different flows of communication in Figure[Tjand 
differentiate between the contributions of the plant and the supervisor. The event-based observation flow 
of Figure [TJ)) enables communication of all observable events, whereas the control signal flow transmits 
only controllable events. In addition, this setting also supports asynchronous communication between 
the plant and the supervisor, which affects almost every implementation of supervisory controllers [8]. 

As a solution to the problem of large supervisors, an alternative approach was proposed in ifTTl . as 
depicted in Figure [TJ;) . The plant (or the supervisor) is augmented with an observer or a tracker that 
deduces the state of the plant and submits this observed information to the supervisor. The supervisor, 
based on this state-based information, acts as a lookup table and feeds the plant with the allowed control- 
lable events in the observed state. In such a way, the supervisor only incorporates necessary information 
in order to exercise control over the plant. Nonetheless, this feedback mechanism is not formalized 
in iPTTT l and, here, we propose to model this variant of the control loop using a process-theoretic approach 
that employs root signal emission (H to capture the state-based observations. Alternative modeling of 
such control loops is by means of shared variables and synchronization [19], but such approaches do not 
distinguish between the different flows of information depicted in Figure^). 

Finally, when employing supervisory control for coordination of distributed systems, the supervisor 
communicates the control actions to several components that have different physical locations. To this 
end, we propose to model the feedback control signal communication from the supervisor by means of 



38 



A Process Algebra for Supervisory Coordination 



broadcast communication (4|. To illustrate the proposed process theories that capture the behavior of the 
control loops of Figure [l])) and c) we revisit two cases, where we applied supervisory coordination: [TJ5) 
a simple case that introduces the main concepts and deals with coordination of an automated guided ve- 
hicle, involving event-based observations, and[jj) a part of an industrial study dealing with maintenance 
procedures inside complex high-tech printers, which employs state-based observations ifTSl . 

Process-theoretic approach The process-theoretic treatment of supervisory control theory is sustained 
by a behavioral relation that captures the notion of controllability, which states that supervisory control 
is possible only if the supervisor can achieve supervised behavior allowed by the control requirements 
without having to disable an uncontrollable event. Prior investigations to process-theoretic treatments of 
supervisory control resulted in a special prioritized synchronization operator |T4~1[T3"1 . while employing 
failure semantics. An alternative approach replaced this special operator with a refinement relation to 
characterize nondeterministic supervised behaviors l20l . In fl26ll24l the refinement is given in terms of 
bisimulation and in terms of simulation in |fT6l . A coalgebraic approach introduced partial bisimulation 
as a behavioral relation suitable to define language-based controllability ll23l . In essence, it states that 
controllable events should be simulated, whereas uncontrollable events should be bisimulated. This no- 
tion was lifted to a concurrency theory for supervisory control that succinctly captured the controllability 
for nondeterministic discrete-event systems O. Here, we extend this framework to elaborately model 
and formalize the behavior of the supervisory control loops depicted in Figure [T] 

The rest of this paper is organized as follows. Section 2 revisits the process theory TCP* from ICQ and 
establishes a link between partial bisimulation and supervisory control. Section 3 shows how to model 
supervisory control loop in the presented theory by applying supervisory coordination to an automated 
production line. Section 4 extends the process theory to incorporate guarded commands and root signal 
emission, which are employed in Section 5, where we revisit an industrial case study of coordination of 
maintenance procedures in a high-tech printer. We finish with a discussion of future challenges and the 
potential of applying process theory in supervisory control. 

2 Process theory TCP* 

In this section we revisit the process algebra TCP* (Theory of Communicating Processes with Itera- 
tion) [ 1 ] in which we introduce generic communication actions and we adopt partial bisimulation as a 
behavioral relation. This process algebra has a rich syntax, allowing us to express all key ingredients of 
concurrency theory, including termination, which enables a strong correspondence with automata theory. 

Syntax We presuppose a finite data alphabet D and a finite set H of channels. We assume that A = 
{c\ m ? n d I c S H, m,n 6 N, d £ D}, where c\ m ? n d is a generic communication action. If m = n = 0, then we 
treat the generic communication action c!q?o^ as a basic event, possibly parameterized with data, notation 
c(d). Otherwise, we handle it as an outcome from synchronization of m send and n receive actions. We 
employ the standard notation for handshaking communication [1], i.e., eld for c\{p.\d, c\d for c\{!$d, and 
cV.d for c\{l\d. Intuitively, these events denote that datum d is received, sent, or communicated along 
channel c, respectively. 

The set of process terms T is generated by the following grammar: 

T::=0 I 1 I a.T \ T T \ T + T \ T\\T \ T* \ d E (T), 
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Table 1 : Operational rules for TCP* 



where a £ A and E C {c! m ?„ | c £ H, m,n £ N}. Let us briefly comment on the operators in this syntax. 
The constant denotes inaction or deadlock, whereas the constant 1 denotes successful termination 0]]. 
For each action a £ A there is a unary operator a. denoting action prefix; the process denoted by a.p can 
do an a-transition to the process denoted by p. The binary operator p ■ q denotes sequential composition 
that behaves like p, followed by q only upon successful termination of p. The binary operator p + q de- 
notes alternative composition or choice on the first action transition of p and q. The binary operator p\\q 
denotes parallel composition (with generic channel communication actions); actions of both arguments 
can be interleaved or, alternatively, communication takes place that keeps track of how many send or 
receive actions are combined. The unary operator p* is iteration or Kleene star that unfolds with respect 
to the sequential composition. The unary operator d^ip) encapsulates the process p in such a way that 
all (incomplete) communication actions, e.g., eld and c\d, are blocked for all data, so that the desired 
type of communication is enforced, e.g., if we were to enforce communication between k processes on 
channel c, then E = {c! m ?„ | < m + n, m + n ^ fc}. 



Semantics We give semantics to the process terms by a labeled transition relation — > C T x A x T 
and a successful termination predicate J. £ T. We employ infix notation and write s-^+t if (s,a,t) £ — > 
and s\, if s £ We derive the transition relation and the successful termination predicate using structural 
operational semantics ET1 . given by the operational rules in Table [T] Alternatively, we depict them as a 
labeled transition system G, specified by the tuple G = (T, A, 4-, — >)■ 

We briefly comment on the rules. The successful termination constant can successfully terminate, 
whereas the action prefix enables outgoing labeled transitions, as given by rules 1 and 2. Rule 3 states that 
iteration can always terminate successfully, which enables sequential composition of recursive processes. 
The unfolding of the iteration is with respect to the sequential composition, as given by rule 4. The 
sequential composition can terminate only if both processes can do so, as given by rules 5, whereas if 
only the first component can terminate successfully, it can continue behaving as the second. The outgoing 
transition of the first component is the same for the sequential composition as given by rule 7. Rules 8 
and 9 state that alternative composition can terminate if one of the components can terminate, whereas 
the choice is made on the outgoing transitions, as stated by rules 10 and 11. The parallel composition can 
terminate only if both components can do so. Rules 13 and 14 enable interleaving of transitions. Rules 
15 states that encapsulation does not prevent successful termination. Rule 16 defines synchronization 
which can occur on communication actions comprising at least one sending or receiving event. The 
communication actions are merged to accumulate the participating send and receive parties. Finally, 
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rule 17 states that all (incomplete) communication actions on a given channel comprising a predefined 
number of senders and receivers are blocked by the encapsulation operation. 

We can easily extend the transition relation to traces of actions in A*. For p,p' G T and t = 

ai,...,a n G A*, we write p -»p' if there exist po,...,p n €T such that p = po — ^ ^ p n = p' ■ By £ 

we denote the empty trace a\ , . . . ,a n for n = and p = p' '. Every finite automaton can be described up to 
isomorphism (and possibly by changing the communication operation) by a term in our setting, see 

Language-based supervision Now, we can translate the central notion of a supervisor ll22l [9J in our 
setting. To this end, we partition the channel names into two disjoint sets of uncontrollable U and 
controllable C channels such that H = U U C and U n C = 0. The uncontrollable and controllable channel 
names induce controllable and uncontrollable actions, respectively, given by Ac = {c\ m 7 n d | c G C, d G 
D} and Ay = {u\ m ? n d \ u G U, d G D}. Next, we define the (prefix-closed) language recognized by the 
process term p or, alternatively, the automaton represented by p, as L(p) = {? G A* | there exists p' G 

T such that p -» p'}. Note that traces do not need to end with successful termination. We denote by 
LL' = {tt' 1 1 G L, t' G L'} the concatenation of the languages L and L'. 

Recall that the supervisor cannot achieve the control requirements by forbidding uncontrollable 
events, when synchronizing with the plant. Suppose that the plant, the control requirements, and the 
supervisor with respect to the former are determined by the languages recognized by the process terms 
p,r,s G T, respectively. If the operation modeling the control loop is denoted by p/s, then L(p/s) C L(p) 
and L{p/s) C L(r), where we refer to p/s as the supervised plant. We note that if strict equality holds, 
then the control requirements can be achieved completely. Often, this is not the case, so one attempts 
to synthesize a maximally-permissive supervisor, which makes L{p/s) as large as possible with respect 
to inclusion. For deterministic systems, this supervisor is unique, equal to the union of all possible su- 
pervisors E2l 191. whereas for nondeterministic systems, a unique maximally -permissive supervisor in 
general does not exist 0. For standard supervisory control Il22l l9l. the operation that models the con- 
trol loop p/s is the full synchronous parallel composition of automata E2l 191. That s does not disable 
uncontrollable events is ensured by requesting that p/s is controllable with respect to p, expressed as 
L(p/i)Ufl L(p) C L(p/s) 11221 191. Controllability is interpreted as follows. If we observe a desired trace 
in the plant followed by an uncontrollable event, then the supervisor cannot request that this uncontrol- 
lable event should be disabled after allowing that trace. If r is controllable with respect to p, then one 
can guarantee the existence of a supervisor s, achieving the desired controlled behavior r by restricting 
the plant p by synchronization, i.e., L{p/s) = L(r). 

Nondeterminism and partial bisimulation The disadvantages of working in the language domain 
have been discussed on many occasions, e.g., see overviews in |[T3l fTTl l2l [Hi. Therefore, a proposal 
was made in to lift controllability to support full nondeterminism in a process-theoretic setting. The 
underlying behavioral relation is partial bisimulation ll23l EL which is parameterized with a bisimula- 
tion actions set B C A that denotes which actions are to be bisimulated, whereas the other actions are 
simulated. 

Definition 1 A relation SCTxTija partial bisimulation with respect to a bisimulation action set B C 
A, if for all (p,q) G R it holds that: 

1. ifpi, then q I; 

2. if p — % p' for some a G A, then there exists q' G T such that q — > q' and (p' ,q') G R; 
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3. if q — > q' for some b G B, then there exists p'£T such that p — > p' and (p',q') G R. 

If (p,q) G R, we say that p is partially bisimilar to q with respect to B and we write p <b q- Ifq<B P 
holds as well, we write p^sq- 

Note that is a preorder relation, making ffg an equivalence relation for all B C A [2]. If B = 0, then 
<8 coincides with strong similarity preorder and f>a coincides with strong similarity equivalence llT2i m. 
When B = A, -h-a turns into strong bisimilarity lfT2l lT1l. Moreover, if p <sq, then p <cq for every CCB. 
We also note that partial bisimilarity is a precongruence with respect to the operators of TCP* 0. 

For given processes p,rgT, representing the plant and the control requirements, respectively, we 
ensure that s G T is a valid supervisor that does not disable uncontrollable events by requiring that 
p/s<®r and p/s<A u p, where Ay C A is the set of uncontrollable events 0. This setting covers both 
the existing deterministic and nondeterministic definition of controllability for discrete-event systems 0. 
From the definition, it is also not difficult to observe, that one obtains the same supervised behavior for 
every p' P- Thus, one direct benefit from our approach is a procedure for coarsest plant minimization 
that respects controllability, based on the partial bisimilarity equivalence. 

Next, we model the supervisory control loop with event-based observations and we illustrate our 
approach by a use case involving coordination of an automated guided vehicle in a production line. 

3 Control Loop with Event-Based Observations 

We employ the process theory TCP* to formalize the behavior of the control loop with event-based ob- 
servations, depicted in Figure [l])). According to the scheme, the plant cannot execute a controllable 
event without the permission of the supervisor, whereas the supervisor must not disable uncontrollable 
events. Nonetheless, the supervisor is able to observe execution of uncontrollable events in the plant, 
so that it can correctly determine the state of the plant and transmit correct control signals. Moreover, 
the supervisor should not execute uncontrollable events independently, as this does not contribute to his 
objective. In addition, the supervisor should not introduce deadlocks or livelocks explicitly, unless dead- 
lock or livelock behavior is inherent to the plant. Finally, we assume that the supervisor is a (global) 
monolithic process, i.e., it is not comprised from multiple modular or distributed synchronizing supervi- 
sors |9). Taking into account the above observations, we can specify the syntax of the plant processes P 
and the supervisor processes S as given by P and S, respectively: 

P::=0 | 1 | cld.P | u\p. k d.P \ P P \ P + P \P\\P\ d E (P) \ P* 
S::=l | dd.S | uld.S \ S + S \ S* , 

where c G C, u G U, £,k G {0, 1}, d G D, and E C {/!„,?„ | / G H, m,n G N}. To implement broadcast 
communication in the case when the supervisor sends control signals to several distributed components, 
which do not have to receive the control signals simultaneously, one would also need to introduce action 
priorities, cf. 0]. Due to page restrictions, we will not employ broadcast in the general form in this paper 
and, instead, we enforce three-way communication by employing only the encapsulation operator. 

Supervisory coordination of an automated production line To illustrate our approach to supervi- 
sory control and the model of the control loop, we discuss a simple example concerning coordination of 
an automated guided vehicle (AGV) in an automated production line, depicted in Figure [2] The AGV 
is responsible for transferring the preproduct made by Workstation M to Workstation N and transfer- 
ring the finished product from Workstation N to the Delivery station. The workstations and the AGV 
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Figure 2: Automated production line 



are coordinated by a supervisor, which sends the corresponding control signals. We can model the au- 
tomated production system depicted in Figure [2] employing TCP*, where M, N, A, and S are process 
terms that model Workstation M, Workstation N, AGV, and the supervisor. We note that we abstract 
from the delivery station, depicted by a single event deliver, as it does not contribute to any inter- 
esting behavior. We retain the communication channel names as depicted in Figure [2j whereas the 
data elements are D = {make, move2N, preproduct, product}. The uncontrollable channel names are 
U = {m,n, produce, process, move, deliver}, whereas C = {s} is the set of controllable channel names. 

M = (slmake. produce (preproduct). mlpreproduct A)* 
N = (nlpreproduct .process(preproduct) .nlproduct A)* 

A = (ml preproduct .s?move2N .move (preproduct) .nlpreproduct .1 + nlproduct. deliver -(product) A)* 
S= (s\make.s\move2N A)* . 

Workstation M repeatedly waits for a command from the supervisor to make a preproduct, which is 
offered to the AGV once it is made. Workstation N waits for a preproduct from the AGV, which is there- 
after processed and offered back to the AGV. The AGV can either pick up a preproduct at Workstation 
M, after which it asks for permission to move the preproduct to Workstation N, or pick up a finished 
product at Workstation N and deliver it. Now, the unsupervised plant is given by the process 

U = d F (M || N || A), where F = {ml,m\,nl,n\}. 

At this point, we note that we enforce meaningful communication of uncontrollable channels within the 
plant by encapsulation and this does not restrict the behavior of the unsupervised plant, but only ensures 
its meaningful behavior. Following the framework outlined above, it can be readily observed that the 
plant U G P follows the outlined syntax. 

In this first modeling instance, we assume that the AGV is responsible for delivering the final product 
and we propose a supervisor as given by the process S. Note that the supervisor S G S follows the outlined 
syntax and it does not make use of any observed information. Supervisor 5 repeatedly gives orders to 
Workstation M for new products to be made, followed by orders to the AGV to transfer the preproduct 
to Workstation N. Thus, the automated production system is modeled as 

U/S = d E (S\\ U), where E = {si, s\}, 
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£(0)=0 §(1) = 1 5(p*) = §(p)* $(pog) = £(p)oS(9) foro G {+,,||} 
€(c! w ?,,d.p) = §(c! w ? B d).§(p) force H,(/gD, m,«GN 

Table 2: Renaming function 

which enforces communication of control signals and transfer of (pre)products. One can directly check 
that S is a valid supervisor by establishing that the supervised plant is partially bisimulated by the original 
plant with respect to the uncontrollable events. To this end, we must employ renaming of events, as 
the original plant has open communication actions that wait for synchronization with the supervisor. 
This renaming function £ traverses the process terms and renames all open communication actions to 
succeeded communication actions. We note that we overload the name of the renaming function of 
the process terms and apply it to the communication action names as well. Also, we only specify the 
communication actions that are actually renamed. The definition of the renaming operation is given by 
structural induction in Table [2] 

Now, in order to verify that the supervisor does not disable uncontrollable events, it is sufficient to 
verify that it holds that 

U/S< Au £,(U), where E, : sld sV.d for d G D, 

which can be directly checked. We note that there was no restriction imposed on the control requirements, 
which in this case coincide with the plant and are, therefore, trivially satisfied. 

Nonblocking supervision Unfortunately, our automated production system has a deadlock. The main 
reason for the deadlock is that a second preproduct can come too early, before the first product is com- 
pletely finished and delivered, which is set off by sending a slmake command too early, i.e., before the 
processed product has left Workstation N. Then, the AGV picks up the preproduct from Workstation M, 
but it cannot deliver it to Workstation N, as the latter also waits for a finished product to be picked. A 
trace that leads to deadlock is 

sV.make produce(preproduct) mV.preproduct sUmove2N n P.preproduct 
sV.make produce (preproduct) mTtpreproduct sV.move2N process{preproduct) 0. 

Such form of blocking behavior appears often, so in many cases the supervisor is additionally required to 
prevent deadlock and/or livelock, or also known as blocking, behavior l22l l9l. To this end, special marked 
states are introduced to automata in supervisory control. We note that these states roughly correspond 
to successful termination in our setting. The correspondence is not strict, mainly due to the absence of 
sequential composition and the Kleene star operator in the supervisory control literature and the role 
of the successful termination in these contexts, confer Table [T] Note that the marked states do not 
contribute to the formation of the recognized language of an automaton, which is different from its 
marked language B2"l 191. 

So, besides the control requirements, we impose an additional deadlock-freedom requirement on the 

supervisor, stated formally as: there exists no trace t e A* such that U /S^O. To ensure this additional 
nonblocking requirement, we have to modify the supervisor to accept requests for making a new preprod- 
uct only after the finished product has been loaded on the AGV, to be transferred to the delivery station. 
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To this end, the supervisor should allow for a new product to be made only after the finished prod- 
uct has been loaded to the AGV at Workstation N, which can be achieved by observing this additional 
information on channel n. 

To this end, we modify the supervisor to S' as follows: 

S' = (slmake .s\move2N .n? product. I)* . 

At this point, we note that communication on the channel n now must occur between three parties, i.e., 
Workstation N that sends information and the AGV and the supervisor that receive it. In order to enforce 
this communication, we employ the generic communication actions, i.e., we encapsulate all (incomplete) 
communication actions on n, except for n\{?2product. The definition of the deadlock-free supervised 
plant now becomes: 

U/S' = d E ,{S' || U), where £' = {*?, «?,«!?}. 

Again, one directly verifies that the supervisor is valid by establishing partial bisimilarity between the 
supervised and the original plant following an appropriate renaming of the incomplete communication 
actions, given by E, : sld \-t slid, nV.d h-> n\{l>id for d G D. 

Next, we extend the process theory TCP* to accommodate state-based observations as well. 

4 Control Loop with State-Based Observations 

We propose TCP]\ an extension of TCP*, with propositional signals [5] and guarded commands in order 
to support the modeling of a control loop with state-based observations. To this end, we employ the 
Boolean algebra 

B = (N,F,T,-.,A,V,=>), 

where N = {Pi , . . . ,P n } are the propositional symbols, the constants represent false and true, whereas the 
operators denote negation, conjunction, disjunction, and implication, respectively. We use B to denote the 
standard Boolean expressions of B, which are evaluated with respect to a given valuation v : B — > {F, T}. 
The set of valuations is denoted by V. 

Process theory TCP£ We enrich the syntax of TCP* and the set of process terms T with the inac- 
cessible process constant, guarded commands, and signal emission. The inaccessible process, notation 
_L, specifies the process in which there are inconsistencies between the valuation of the propositional 
variables and the emitted propositional signals. Such a state cannot be reached from any consistent 
state. The guarded command, notation <p :— > p, specifies a guard € B that guards a process p G T. 
If the guard is successfully evaluated, the process continues behaving as p G T or, else, it deadlocks. 
The root signal emission process emits the propositional signal G B until the process p G T 

takes an outgoing transition, provided that the propositional signal is consistent with the valuation. To 
be able to evaluate the propositional expressions, we couple the process terms with valuations, notation 
(p,v) G T x V. The dynamics of the valuations, with respect to outgoing labeled transitions, is captured 
by a predefined valuation effect function, given by effect: A x V — > 2 V . With respect to the valuation 
we have to extend the successful termination predicate to | G T x V and the labeled transition relation 
to — > GTxVxAxTxV. We introduce an additional consistency predicate \ G T x V that checks 
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Table 3: Operational rules for TCP^ 

whether the state is consistent. The operational rules in Table [3] give the semantics of the new predi- 
cate and the transition relation with respect to the new operators. We note that the operational rules of 
Table [T] have to be enhanced by decorating the process terms with valuations and additional checks for 
consistency. 

The rules ensure that when taking an action transition, the target state is always consistent. We 
comment the important rules that are not directly taken from Table [T] and adapted in a setting with 
valuations. The deadlock, successful termination, and action prefix are always consistent as stated by 
rules 18, 19, and 21, respectively. The target process must be consistent for the target valuation, which is 
determined by the effect function as given by rule 22. Rules 23-27 introduce valuations and consistency 
for the alternative composition, whereas rules 28-32 do the same for the sequential composition and rules 
33-35 describe iteration. Rules 38 and 39 introduce interleaving in the new setting. Rule 40 shows how 
the effect function is impacted by synchronization. For the effect function to be well-defined with respect 
to the valuations by interleaving and synchronization JT], we require additionally that 

effect(cli +m l k+n d,v) C effect(c\j n d,effect(c\£? k d,v))neffect(c\e? k d,ejfect(c\ m ? n d,v)) 

for all £,k,m,n G N with £ + k > and m + n > 0. Rules 41-43 introduce the encapsulation operator in 
the new setting. Rules 44 and 47 show that a guarded process does not deadlock only when the guard 
evaluates to true. We note, however, that the value of the guard does not affect the consistency of the term, 
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provided that the term that is guarded is consistent. This is in direct contrast with signal emission, see 
rule 49, where the consistency is preserved only if the emitting signal is consistent within the valuation. 
In that case, the process that emits the signal can continue with its normal execution. 

Finally, we also have to adapt our behavioral relation in order to correctly handle the valuations. 
Here, we directly employ the approach of [H, where this extension is shown for bisimulation. We 
consider a relation R C T x T to be a partial bisimulation with respect to a bisimulation action set B C A, 
if for all (p,q) £Rit holds that: 

1. if (p,v) I for some v G V, then (q,v) I; 

2. if (p,v) (p',v') for some v G V and a G A, then there exists q' G T such that (q,v) (q',v') 
and (p',q') G R; 

b b 

3. if (q,v) — > (q',v') for some v G V and b G B, then there exists p G T such that (p,v) — > (p',v') 
and (p',q') £ R. 

Again, if (p,q) G R, we say that p is partially bisimilar to q with respect to B and we write p <b q- If 
q<BP holds as well, we write p^%q. Also, we consider a process s G T to be a supervisor of the plant 
p G T with respect to the control requirements r GT if p/s<%r and p/s<^ p. 

Plant and supervisor syntax Now, we can model the control loop with state-based observations as 
depicted in Figure[T]:). Intuitively, the plant emits a signal that identifies the observable states. Upon ob- 
serving such a signal, the supervisor checks which controllable actions are allowed in the state identified 
by the signal. Allowance of actions is specified in the form of guarded prefixes in which a process term is 
bound to a prepositional formula deduced from the control requirements. These new concepts introduce 
further asymmetry in the control loop, where the syntax of the plant and the supervisor is again given by 
P and S, respectively: 

P::=0 | 1 | cld.P \ u\p. k d.P \ P P \ P + P \P\\P\ d E (P) \ (j) :^P | (j)^P \ P* 
S::= \ | dd.S \ S + S | :^ S \ S* , 

for c G C, u G U, £,k G {0, 1}, d G D, G B, and E C {/! m ?„ | / G H, m,n G N}. 

We note that in the state4jased setting, the control requirements can be stated directly in terms of 
states, i.e., signals that the state is emitting, and additionally, one can specify which events are allowed 
with respect to the emitted signals. The control requirements R have the following syntax given by R: 

. f\ m \d xii /UV 

R ::= | — > =^<p|</>=^ , 

for / G H, d G D, m,n G N, and <p G B. Given control requirements r G R are satisfied with respect to 
process G T in the valuation v G V, notation (p, v) |= r, according to the following operational rules: 

si v(0)=T 52 (p^h^^W 53 v(0)=T, (p,v) f ±h d 

where (p,v) — /->■ for a G A holds if there does not exist (p' ,v') such that (p,v) — > (p' ,v') with V = 
effect(a,v). We note that the second form of the control requirements is introduced since it corresponds 
better to modeling intuition and it is equivalent to the third, which is easily seen from the operational 
rule 52. Furthermore, for the prepositional symbols, we employ the notation /«(StateName), where 
;>i(StateName) is a signal emitted from the process, corresponding to a state in the labeled graph rep- 
resentation identified by StateName. For example, in the Current Power Mode process in Figure [5] the 
process modeling the state with associated name Standby emits the signal in (Standby). 
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5 Coordination Control of Maintenance Procedures 

We employ the process theory TCP^ to model the coordination of maintenance procedures of a printing 
process of a high-end Oce printer |[T8l . The printing process consists of several distributed independent 
components as depicted in Figure [3^). The process applies the toner image onto the toner transfuse belt 
and fuses it onto the paper sheet. To maintain high printing quality, several maintenance operations have 
to be carried out, like: toner transfuse belt jittering, which displaces the transfuse belt to prolong its lifes- 
pan due to wearing by paper edges; black image operation, which removes paper dust by occasionally 
printing completely black pages; coarse toner particles removal operation; etc. Most maintenance oper- 
ations are scheduled after a given number of prints, but must be carried out after a given strict threshold. 
To perform a maintenance operation, the printing process has to change its power mode, from Run mode, 
used for printing, to Standby mode, required for maintenance. However, this change can actually trigger 
pending maintenance operations, which may unnecessary prolong the user waiting time. 

As an illustration, in Figure [3])) we depict the situation, where due to inevitable execution of main- 
tenance operation A, the ongoing print job is suspended and the power mode of the printer is changed 
to Standby. However, an unwanted situation occurs, i.e., the power mode change triggers a longer, yet 
postponable maintenance operation B as depicted in Figure |3j;). For instance, a black image operation 
(A) must be performed, which takes the time needed to print one page and is activated often, but the 
switching of the power mode triggers the much longer toner transfuse belt jittering (B), thus making the 
user wait unnecessarily. 

The goal of the research performed for this use case was to eliminate undesired emergent behavior 
due to interactions of otherwise correctly-functioning distributed components, with primary focus at 
coordinating maintenance operations. Our approach was to synthesize a supervisory coordinator for the 
maintenance procedures [18], which here we model in the proposed process theory. 

Informal description of the printing process An abstract view of the control architecture of a high- 
end printer is depicted in Figure [4] Print jobs are sent to the printer by means of the user interface. The 
printer controller communicates with the user and assigns print jobs to the embedded software, which 
actuates the hardware to realize print jobs. The embedded software is organized in a distributed way, 
per functional aspect, such as, paper path, printing process, etc. Several managers communicate with the 
printer controller and each other to assign tasks to functions, which take care of the functional aspects. 

We depict a printing process function comprising one maintenance operation in Figure|4] We abstract 
from all timing behavior, which can be present in some control signals, e.g., execute a maintenance 
procedure after a given delay. Each function is hierarchically organized as follows: (1) controllers: 
Target Power Mode and Maintenance Scheduling, which receive control and scheduling tasks from the 
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Figure 4: Printing process function. 



managers; (2) procedures: Status Procedure, Current Power Mode, Maintenance Operation, and Page 
Counter, which handle specific tasks and actuate devices, and (3) devices as hardware interface. 

The Status Procedure is responsible for coordinating the other procedures given the input from the 
controllers. It will be implemented as a supervisory coordinator with respect to the coordination rules 
given below. The Current Power Mode procedure sets the power mode to Run or Standby depending 
on the enabling signals from the Status Procedure StblRun and Run2Stb, respectively. The confirma- 
tion is sent back via the signals JnRun and JnStb, respectively. Maintenance Operation either carries 
out maintenance operation or it is idle. The triggering signal is OperStart and the confirmation is sent 
back by jOperFinished. The Page Counter procedure counts the printed pages since the last mainte- 
nance and sends signals when soft and hard deadlines are reached using _ToSoftDln and _ToHardDln, 
respectively. The counter is reset each time the maintenance is finished, by receiving the confirmation 
signal JOperFinished from Maintenance Operation. The controller Target Power Mode defines which 
mode is requested by the manager by sending the control signals JTargetStb and JTargetRun to the Status 
Procedure. Maintenance Scheduling receives a request for maintenance from Status Procedure via the 
signal SchedOper, which it forwards to a manager. The manager confirms the scheduling with the other 
functions and sends a response back to the Status Procedure via the control signal JExecOperNow. It 
also receives feedback from Maintenance Operation that the maintenance is finished in order to reset the 
scheduling. 



Plant modeling in TCP^ We model the procedures by means of processes. We retain the names 
of the control signals, turning them into communication actions where appropriate. The controllable 
communicating channels are the given by C = \Run2Stb, StblRun, SchedOper, OperStart], modeled as 
receive actions in the plant. We note that we abstract from data elements as communication should 
only enforce ordering of events. The other actions are uncontrollable, also prefixed by _, where only 
JOperFinished is modeled as a communication action, as the procedure Maintenance operation must 
send signals and reset Page Counter and Maintenance Scheduling. The signals emitted from the plant 
uniquely identify the state of the plant. For clarity, we also depict the processes in Figure [5J where the 
signal names are given next to the states that emit them. Page Counter is modeled by the process C, 
where JOperFinished is modeled as a receive action, to be synchronized with Maintenance Operation: 
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C = (m(NoDeadline)^( 

_OperFinishedl .1 + 
.ToSoftDln. {in (SoftDeadline) 

jOperFinishedl . 1 + JToHardDlnM(HardDeadline)^_OperFinished7.\)))^ . 

Maintenance Operation is specified by the process O, where JDperFinished broadcasts that the main- 
tenance operation has finished: 

O = (z'ra (Operldle) ^OperStartl .in (OperlnProg) ^ OperFinishedl A)* . 

Target Power Mode is modeled by T: 

T = (z'ra(TargetStandby) ^-TargetRun.in^TargeiRun) ^ JTargetStandby. l) , 

whereas Current Power Mode is given by P: 

P = (in(Standby)^Stb2Run?.in(Startmg)^JnRun. 
z'ra(Run) ^Run2Stbl. in(Stopping) ^JnStb.l)* . 

Finally, Maintenance Scheduling is specified as M: 

M = (in(NotSched\Aed)^SchedOper7Jn(SchediAed)^J:xecOperNow. 
in (ExecuteNow) ^ .OperFinished? . 1 ) * . 

Due to the generic valuation effect function, we need to impose additional restriction on the emitted sig- 
nals. More precisely, we wish that the signals emitted in a process are not ambiguous, e.g., it cannot be 
that both zVi(Standby) and m(Run) are valid at the same time as these are two distinct states that belong 
to the same process. Note, however, that this situation is possible as one can easily construct a valuation 
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effect function that always assigns the same values to the above propositional symbols. However, such 
misconstrued valuations can actually lead to wrong supervised behavior as the supervisor bases its de- 
cision on the emitted signals, which are deduced from the valuations. At this point, we have two viable 
options. One is to make the signal emission complete and rewrite all signal emissions such that the effect 
function leads to inconsistencies unless it uniquely defines each state. For example, then we would have 
to rewrite T to T'\ 

T' = ((jn(TargetStandby)A-.jn(TargetRun))^^rarge/«wn. 

(-.m(TargetStandby) A /n(TargetRun)) ^ _TargetStandby . l)* , 

and adapt the rest of the processes analogously. The other option is to set an invariant process in parallel 
to the components that will ensure that only one state can be identified per process. To this end, we 

define the operation ®p e $P — Vpgs A I\qes\{p} ~^Q) ^ or a set °^ prepositional symbols SCN, which 
ensures that only one propositional symbol, i.e., one signal, is exclusively emitted per state. Now, the 
invariant process / that enforces this restriction can be specified as: 

/ = ((ALi© Pe{5i} p)*o)*, 

where S; C N for i G {1, . . . ,5} contain the signals emitted by the processes C, O, T, P, and M, respec- 
tively, i.e., 

51 = {/«(NoDeadline),m(SoftDeadline),m(HardDeadline)}, 

52 = { in ( Operldle ) , in ( OperlnProg) } , 

53 = { in (Targets tandby),/«(TargetRun)}, 

54 = {m(Standby),m(Starting), in (Stopping), in (Run)}, 

55 = {zrc(NotScheduled),z«(Scheduled),z«(ExecuteNow)}. 

Finally, the unsupervised plant can be specified as U G P given by: 

U = d F (C\\ 0\\ T ||P || AT) || /, 

where F = {_OperFinished?,-OperFinished\,-OperFinished\{{?2,-OperFinishedV} enforces a three- 
way communication between C, O, and M. We note that due to the stringent streamlining invariant, the 
role of the valuation effect function is now diminished and one can simply assume that effect(a,v) = V 
for every a G A and v G V. 

Coordination requirements We synthesized a coordinator that implements Status Procedure, see Fig- 
ure^ which coordinates the maintenance procedures with the rest of the printing process. The following 
coordination requests describe the behavior of the Status Procedure: 

1. Maintenance operations can be performed only when the printing process is in standby; 

2. Maintenance operations can be scheduled only if soft deadline has been reached and there are no 
print jobs in progress or a hard deadline is passed; 

3. Maintenance operations can be started only after being scheduled; 

4. The power mode of the printing process must follow the power mode dictated by the managers, 
unless overridden by a pending maintenance operation. 
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We formalize these control requirements as follows: 

1. The maintenance procedure is performed if the process emits the signal zVi(OperlnProg), while 
emitting the signal /n(Standby) as well: 

Ri = zTi(OperlnProg) =>• in (Standby). 



2. For the control signal SchedOper! to be sent to Maintenance Scheduling, either one of the fol- 
lowing must hold: (1) A soft deadline has been passed, identified by emission of the signal 
zn(SoftDeadline), and there are no print jobs waiting, meaning that the target power mode is not 
in run, identified by the signal z'n(TargetRun); or (2) A hard deadline has been passed, indicated 
by the signal zTi(HardDeadline). This is captured by the following control requirement: 

R 2 = Sch ^ er - => iZ/MSoltDeadline; ///! TargelRuni) /m HardDeadline). 

3. The maintenance operation can be started by sending the control signal OperStart! only if it has 
been scheduled, prompted by the emission of the signal in (ExecuteNow): 

A OperStart\ . . . 

/? 3 = — > => m (ExecuteNow). 

4. If we want to switch from standby to run power mode, indicated by sending the control signal 
Stb2Run!, then this has been requested by the target power mode manager by emitting the signal 
zTi(TargetRun), provided that there are no maintenance operations scheduled, for which the signal 
in (ExecuteNow) should be checked: 

r a x A stb2Run _^ j n (T ar g e £R un ) /\ (ExecuteNow). 

When switching from run to standby power mode, indicated by sending the control signal Run2Stb!, 
the target power mode should be in standby, given by emission of the signal zTi(TargetStandby). 
An exception is made when a maintenance operation is scheduled to be executed, given by emis- 
sion of the signal in (ExecuteNow): 

r 42 A *«^|* _^ /^(TargetStandby) V in (ExecuteNow). 



Supervisor synthesis With respect to the control requirements we synthesized a deadlock- and livelock- 
free maximally -permissive supervisor lfl"8ll . The supervisor sends the control signals upon observation of 
certain signal combinations, which are given in the form of guards. The indices of the guards correspond 
to the indices of the control requirements that concern the control signal: 

g 2 = (zVi(SoftDeadline) Am(TargetStandby)) V/ra (HardDeadline) 
g3 = zTi(Standby) Am (ExecuteNow) 

g4.i = -tin (ExecuteNow) AzVz(TargetRun) A -im(OperlnProg) 
g4,2 — (-^(ExecuteNow) A m(TargetStandby)) V in (ExecuteNow). 

The supervisor is given by S G S: 

5 A f g2 :^SchedOper\A+g 3 :-)• OperStart \. I +g 44 :-)■ Stb2Run !. 1 +g4,2 Run2Stb\.\) . 
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Figure 6: Alternative form of the supervisor 



Now, the supervised plant U/S is given by: 

U/S = d E (S || U), where E = {c!,c? | c G C}. 

Again, we can show that the supervised plant is partially bisimilar to the original plant with respect to 
the uncontrollable events by showing that 

U/S< Au £(U), where^: c? ^ d? for c G C. 

The above form of the supervisor does not provide much information regarding the choices made. 
It can be visualized as a single state transition system with four outgoing guarded transitions. However, 
it is not difficult to deduce that initially the event RunlStb is not possible since the initial signal is 
/^(Standby). Also, StartOper is initially unavailable as the signal m(ExecuteNow) is not emitted. 
In order to better understand the consequences of the control choices made by the supervisor and the 
thereafter enabled controllable events, we depict an alternative supervisor in Figure [6] We note that 
both variants of the supervisor produce equivalent supervised behavior (the guards remain the same), 
the difference being that the supervisor depicted in Figure [6] reveals the consequences of choosing a 
particular controllable action. We can now observe, that if the operation is scheduled while the printing 
process is in standby power mode, then it can be directly executed, returning the supervisor to the initial 
state. However, if the power mode is run, then the maintenance operation can still be scheduled, but the 
system has to switch to standby power mode before it can be executed. 

6 Conclusions and Future Work 

We modeled two prominent types of supervisory control loops, one employing event-based observations 
and the other employing state-based observations. To this end, we revisited the process theory TCP* 
of Hl> where we introduced generic communication actions to model communication between multiple 
parties, and we applied the developed theory to model the control loop with event-based observations. 
We classified the processes modeling the unsupervised system and the controller to capture their specific 
goals. We illustrated our approach on an academic example of coordinating an automated guided vehicle 
in a production line. To model the control loop with state-based observations as well, we extended the 
process theory with guarded commands and root signal emission, leading to TCP]\ We reiterated on an 
industrial study dealing with coordination of maintenance procedures in a printing process of a high-tech 
printer. We demonstrated that our approach is capable of modeling the interaction in the control loop 
precisely by distinguishing between the information flows of the observations and the control signals. 
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Application of process theory in supervisory coordination The work presented in this paper is 
merely the third step in our investigations regarding application of process theory in supervisory control 
and coordination. Our prior work identified and employed partial bisimulation as a suitable behavioral 
relation to capture the central notion of controllability [2]. Based on this relation we developed an effi- 
cient minimization procedure for nondeterministic plants that respects controllability. Here, we modeled 
the most prominent variants of the supervisory control loop and further calibrating the process algebra 
with respect to the notions that are needed to correctly capture the central notions of supervisory control 
theory. 

The issues are far from resolved. We intend to proceed in several directions of research, where we 
expect that a process-theoretic approach can advance the theory and/or define the notion more clearly and 
concisely. One issue that we partially treat in this paper is the notion of partial observability, which is an 
inherent property of plants in which due to unavailability of sensors certain information is unobservable 
to the supervisor J9). There is a lot of work regarding partial observability of events, which can be treated 
as uncontrollable actions that are not communicated to the supervisor or as silent steps from which the 
supervisor has to abstract. The first option is already present in the current setting, whereas the second 
approach is more than familiar in the process-theoretic community. An unavoidable complication in 
supervisory control is that the supervisor must not make a wrong control choice, irrespective of not 
being able to observe the correct state of the plant, making partial observability a global property 0. 
In the setting with state-based observations, one can easily abstract from state information by emitting 
slightly ambiguous signals, e.g., instead of uniquely identifying as being in states S or T, one can emit 
the signal in(S) V in(T). We intend to further investigate the mechanics of state abstraction in supervisory 
control. 

As expected, there are quantitative extensions of supervisory control theory employing real and 
stochastic timing, probabilities, and data. However, the supervisory control community seems to strug- 
gle with clear and acceptable definitions of controllability, as typically these follow the original approach 
of ||22] and are, thus, given in trace semantics. There are other approaches that are instead based on 
games, but these often suffer from great computational complexities. We believe that here the commu- 
nity of process theory and verification can contribute a great deal, both in providing suitable definitions 
and algorithms for minimization and supervisor synthesis. Finally, the supervisor synthesis algorithms 
almost always have distributed, decentralized, modular, or hierarchical implementations. Concurrency is 
inherent to our work, and we believe that there are a lot of interesting problems, issues, and challenges 
that are hidden in this exciting field. 
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